dms123 Posted September 11, 2015 Report Share Posted September 11, 2015 I have token_auth_enable as false - but it doesn't seem to take using uTorrent 3.3 on Linux. I think this is a really bad design, it creates race conditions when under heave load. Let's take for example a cluster of several uTorrent servers each doing 100 downloads each using the WebAPI "api". Obviously all of the requests being made aren't synchronous and likely spread across various processes, so you end up having bad tokens all the time and basically continue to make requests until it gets lucky and slips in there. I think a better approach to be to simply have an IP whitelist. In any case, is there a way to really disable this? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted September 11, 2015 Report Share Posted September 11, 2015 Solving the race conditions will be better than opening your system up to malicious requests. I'll get someone to get in touch with you to work on them. Link to comment Share on other sites More sharing options...
dms123 Posted September 15, 2015 Author Report Share Posted September 15, 2015 Solving the race conditions will be better than opening your system up to malicious requests. I'll get someone to get in touch with you to work on them. Thank you, so in our case we have the web ui on a private ip. One suggestion if keeping the token would be to give it an expiry, instead of every page load. So even if you load the token.html 100x, if it's within 30min or whatever the threshold is, it doesn't change. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.